Relevant RFC on A records for NS's
Scott Haneda
talklists at newgeo.com
Thu Apr 30 12:11:20 UTC 2009
On Apr 30, 2009, at 3:54 AM, Kal Feher wrote:
> Lets check where they are delegated:
> 1st the hostwizard domain
> $ dig ns hostwizard.com +short
> ns1.hostwizard.com.
> ns1.nacio.com.
>
> Now nacio
> $ dig ns nacio.com +short
> ns1.nacio.com.
> ns3.nacio.com.
> ns2.nacio.com.
>
> So what _should_ we see if I query ns1.nacio.com for hostwizard.com?
> Since the domain is delegated there, I would expect an authoritive
> answer
I would agree, that would be my hope at least, if not, I know
something is wrong.
> $ dig a ns1.hostwizard.com @ns1.nacio.com
>
> ; <<>> DiG 9.4.2-P2 <<>> a ns1.hostwizard.com @ns1.nacio.com
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1579
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;ns1.hostwizard.com. IN A
>
> ;; ANSWER SECTION:
> ns1.hostwizard.com. 3600 IN A 64.84.37.14
>
> ;; AUTHORITY SECTION:
> hostwizard.com. 3600 IN NS ns1.nacio.com.
> hostwizard.com. 3600 IN NS ns1.hostwizard.com.
>
> ;; ADDITIONAL SECTION:
> ns1.nacio.com. 3600 IN A 64.84.0.18
>
> ;; Query time: 177 msec
> ;; SERVER: 64.84.0.18#53(64.84.0.18)
> ;; WHEN: Thu Apr 30 20:45:00 2009
Right, so looks good to me so far.
> But what if I do the reverse? That is...query ns1.hostwizard.com for
> ns1.nacio.com. We know that nacio.com isnt delegated to it. What
> should
> ns1.hostwizard.com answer? Normally either an upwards referral to
> the root
> servers or (if caching is disabled) with refused. I added some *s for
> emphasis.
Here is where I would get a little blurry. Granted, you gave me the
answer :)
Had you not, I would have thought asking ns1.hostwizard.com for
ns1.nacio.com that you get nothing. I do not think I am supposed to be
answering the question of ns1.nacio.com from ns1.hostwizard.com
I would also wonder why that question ever even made it to my server.
If it does make its way, I would expect my server to do what it does
in most of the other cases when it does not know something, which is
pass the question on to a friend.
> $ dig ns1.nacio.com @ns1.hostwizard.com +norec
>
> ; <<>> DiG 9.4.2-P2 <<>> ns1.nacio.com @ns1.hostwizard.com +norec
> ;; global options: printcmd
> ;; Got answer:
> ****;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 35446
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ns1.nacio.com. IN A
>
> ;; Query time: 250 msec
> ;; SERVER: 64.84.37.14#53(64.84.37.14)
> ;; WHEN: Thu Apr 30 20:49:50 2009
>
> ns1.hostwizard looks like it isn't answering from cache, (which is
> fine). So
> you shouldn't worry. Sorry for the overly verbose response ;)
Not at all, I truly appreciate the verbosity of your answer. I
wonder, how were you able to discern that it did not come from cache?
Just the fact it was REFUSED implied that? Or the fact you used
+norec, forces it in most cases, though not all are required from what
I am reading?
Thanks again.
--
Scott * If you contact me off list replace talklists@ with scott@ *
More information about the bind-users
mailing list